azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-20 06:52:41

Browse Source 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-20 06:52:41
This commit is contained in:
Mike Swanson
2026-05-20 06:52:58 -07:00
parent 5b99e4b80b
commit 35c1270941
1 changed files with 131 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
session-logs/2026-05-20-session.md
View File

@@ -193,3 +193,133 @@ M365 connector setup:
Report delivered to:
C:\Users\guru\AppData\Local\Temp\CryoWeave_SEO_Report.txt (Notepad, local only)
---
## Update: Afternoon — Rob Activity Audit & Server Security
### Session Summary
This session was a two-track investigation into Rob's (employee) server activity and productivity validation on IX (172.16.3.10) and websvr (websvr.acghosting.com). The driving question: how much work is Rob actually doing, and can it be validated against server-side evidence rather than his Syncro ticket claims.
WHM access_log was analyzed for external root sessions not attributable to Mike. Three non-Mike root access vectors confirmed: 97.181.171.114 (Verizon Wireless AZ, March 2, 2026 — DNS Zone Editor, mass_edit_dns_zone), 74.244.177.66 (Starlink Phoenix, April 21, 2026 — DNS Zone Editor + graceful_reboot_landing/server reboot), and 174.234.68.59 (Verizon Wireless NV, December 2025 — two SSH root terminal sessions 2+ hours each). All three attributed to Rob. The arizonawebsitedesign.pro account was cleaned of a Duplicator installer (installer.php, Sep 2022), ALFA web shell framework remnant under .well-known/pki-validation/ALFA_DATA/, and two zero-byte PHP files.
WordPress session_tokens were queried across all Rob-associated admin accounts. Rob's `rob@azcomputerguru.com` guruadmin accounts remain active on 25+ client sites; last confirmed Rob-IP sessions from Cox 69.136.118.50 through May 2025. Recent sessions showing Mike's Comcast IP 76.18.103.222 were initially flagged as anomalous but Mike confirmed Rob has legitimate Tailscale access — his traffic exits through Mike's LAN. Rob also has a `magus/info@maguspressworks.com` identity (maguspressworks.com, registered April 2024) with admin on hightechmortgage_maindb, nwpool_db, nwpool_maindb, packetdial_2022 — all added October 20, 2025.
Productivity validation cross-referenced login timestamps against actual server-side evidence. WordPress post revisions confirmed real content work on hightechmortgage only (April 6, 2026: User Registration page edited/published, htm_user_class entries by magus). All other recent sessions (acepickupparts May 6, nwpool May 12, packetdial May 18-19, thrive May 2025) showed no post revisions or only an auto-draft. Rob's automation scripts in /root were inventoried — six scripts written and run once on January 13, 2026, plus scan_smart_slider.sh added April 11, 2026 in response to Smart Slider 3 Pro CVE. None are cron-scheduled.
SSH authorized_keys audited on both servers. A GoDaddy infrastructure key (root@224.235.109.208.host.secureserver.net) was found in IX root authorized_keys with no justification and was removed. websvr has a `rob` cPanel account with an empty crontab. Session ended with a discussion of non-root access architecture (WHM reseller + sudo-restricted SSH) for Rob. Mike has a meeting with Rob on 2026-05-21 to discuss productivity; outcome will be either implementing the reseller scheme or full lockout.
### Key Decisions
- **Tailscale exit node explains 76.18.103.222 sessions** — initially treated as anomalous. Mike confirmed Rob has Tailscale network access. Traffic egresses through Mike's LAN. No security incident.
- **GoDaddy key removed immediately** — no documented justification for external root SSH trust from GoDaddy infrastructure. Removed same session; backup retained on server.
- **Post revisions as primary work evidence** — reliable because they are created by the editing user with a timestamp. Filesystem mtimes not used due to noise from automated processes.
- **Automation scripts assessed as one-time work** — all report outputs dated January 13, 2026 only. Not scheduled, not maintained.
- **Discord IP pull ruled out** — Discord does not expose member IPs to server admins. Not viable without legal process.
### Problems Encountered
- **Collation mismatch on UNION query** — UNION ALL across multiple WordPress databases failed: `ERROR 1271 (HY000): Illegal mix of collations`. Resolved by running per-database queries instead.
- **plink batch mode rejected hostkeys** — Both IX and websvr failed with `FATAL ERROR: Cannot confirm a host key in batch mode`. Resolved by adding `-hostkey <fingerprint>` to all commands.
### Configuration Changes
- **Removed** GoDaddy SSH key from `/root/.ssh/authorized_keys` on 172.16.3.10
- Key: `ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP2RXPvnQjdn/hvLtzqiFibKEfcYZviwZIgr26VyVdMT root@224.235.109.208.host.secureserver.net`
- Backup: `/root/.ssh/authorized_keys.bak.20260520` on IX
- **Removed** from `/home/azwebdesign/public_html/` on IX:
- `installer.php` (75KB Duplicator installer, Sep 2022)
- `dup-installer-bootlog__970a9a6-14174455.txt`
- `.well-known/pki-validation/ALFA_DATA/` directory
- `.well-known/pki-validation/marijuan.php` (0 bytes)
- `.well-known/pki-validation/0r.php` (0 bytes)
### Infrastructure
- **websvr.acghosting.com** — 162.248.93.81, CentOS 7, WHM/cPanel, SSH hostkey: `SHA256:qcaW8BWq5UyM0l0g6DS9JfYbMZN/LTXLs3BIEZV8BE0`
- **websvr root password:** `[3H+_f.Yh4c0>@egH[6L!?u]S3s[9C82` — vault: `infrastructure/websvr-legacy-hosting.sops.yaml`
### Rob's Identity and Access Profile
- **Primary:** `rob@azcomputerguru.com` — guruadmin on 25+ WP client sites (batch-created 2020-03-17)
- **Secondary:** `magus / info@maguspressworks.com` — admin on hightechmortgage, nwpool (x2), packetdial_2022 (added 2025-10-20)
- **Business:** maguspressworks.com — Namecheap, registered 2024-04-12, updated 2026-03-14, privacy protected
- **Cox IP:** 69.136.118.50 — last Rob session May 20, 2025
- **Verizon mobile:** 97.181.171.114 (WHM Mar 2026), 174.234.68.59 (SSH Dec 2025)
- **Starlink Phoenix:** 74.244.177.66 (WHM Apr 2026)
- **Via Tailscale/Mike's LAN:** 76.18.103.222 — multiple WP sessions 2025-2026
### Rob's Automation Scripts (IX /root/)
All scripts run once only. Not cron-scheduled.
| Script | Purpose | Last Modified |
|---|---|---|
| `/root/scan_sites.sh` | Error logs, PHP memory errors, WP DB list | 2026-01-13 11:31 |
| `/root/check_dbs.sh` | DB bloat per site | 2026-01-13 11:32 |
| `/root/cleanup_error_logs.sh` | Truncate error logs for ~11 domains | 2026-01-13 20:01 |
| `/root/cleanup_wordfence.sh` | TRUNCATE Wordfence tables across all DBs | 2026-01-13 20:09 |
| `/root/generate_security_performance_report.sh` | Full IX security/perf audit | 2026-01-13 20:12 |
| `/root/scan_smart_slider.sh` | Smart Slider 3 Pro CVE scanner | 2026-04-11 05:09 |
| `/root/URGENT_SITE_ISSUES.txt` | Jan 13 scan findings (3.4KB) — not yet read | 2026-01-13 11:33 |
| `/root/IX_SECURITY_PERFORMANCE_REPORT_2026-01-13.txt` | Full report (37KB) — not yet read | 2026-01-13 20:16 |
### WordPress Last Login Summary (Rob Accounts)
| Database | Account | Last Login (UTC) | IP |
|---|---|---|---|
| cryoweave_maindb | guruadmin | 2023-03-17 16:06 | 70.162.90.195 |
| thrive_maindb | guruadmin | 2025-05-20 21:02 | 69.136.118.50 (Rob's Cox) |
| drsticken_maindb | guruadmin | 2024-05-31 19:42 | 69.136.118.50 |
| compoundfitness_maindb | guruadmin | 2024-05-22 20:30 | 69.136.118.50 |
| bruceext_maindb | guru | 2024-06-06 16:59 | 69.136.118.50 |
| blackswanarchery_maindb | guruadmin | 2025-07-24 17:27 | 76.18.103.222 (Tailscale) |
| acepickupparts_maindb | guruadmin | 2026-05-06 17:15 | 76.18.103.222 (Tailscale) |
| peacefulspirit_wp24 | guruadmin | 2026-05-09 04:24 | 76.18.103.222 (Tailscale) |
| hightechmortgage_maindb | magus | 2026-04-06 19:46 | 76.18.103.222 (Tailscale) |
| nwpool_maindb | magus | 2025-12-08 15:27 | 127.0.0.1 (server-side) |
| nwpool_db | magus | 2026-05-12 03:45 | 76.18.103.222 (Tailscale) |
| packetdial_2022 | magus | 2026-05-18 14:18 | 76.18.103.222 (Tailscale) |
| packetdial_2022 | magus | 2026-05-19 21:39 | 76.18.103.222 (Tailscale) |
### WordPress Content Confirmed vs. Login Events
| Site | Session Date | Work Found | User | Detail |
|---|---|---|---|---|
| hightechmortgage | 2026-04-06 | Yes | magus | Published "User Registration" page, htm_user_class (Client/Investor) entries |
| packetdial | 2026-05-18 | Minimal | magus | Auto-draft only + automated URL metrics update |
| peacefulspirit | 2026-05-09 | Other user | mara | "Meet The Staff" revised by `mara`, not Rob |
| acepickupparts | 2026-05-06 | None | — | Login, no post revisions |
| nwpool | 2026-05-12 | None | — | Login, no post revisions |
| thrive | 2025-05-20 | None | — | Login, no post revisions |
### IX SSH Authorized Keys (Post-Cleanup, 10 keys)
Rotating cPanel keys (4), azcomputerguru@local, claude-code, claude-code@localadmin, root@websvr.acghosting.com, guru@wsl, root@Jupiter.
Removed: `root@224.235.109.208.host.secureserver.net` (GoDaddy).
### Pending — 2026-05-21 Rob Meeting
Two outcomes:
**Option A — Continue employment / implement tracked access:**
1. Create WHM reseller account for Rob on IX (and websvr)
2. Grant ACL-based WHM privileges (DNS editor, WP Toolkit, assigned client accounts)
3. Create system user `rob` + `/etc/sudoers.d/rob` restricting SSH commands
4. Remove Rob's root-level WHM/SSH access
5. Assign specific client cPanel accounts to his reseller ownership
**Option B — Termination / lockout:**
1. Change root WHM password on IX and websvr
2. Remove Rob's Tailscale node
3. Disable guruadmin (rob@azcomputerguru.com) on all 25+ client WP sites
4. Disable magus (maguspressworks.com) on hightechmortgage, nwpool (x2), packetdial
5. Revoke any remaining API tokens or remote access tools
### Still Not Investigated
- `/root/URGENT_SITE_ISSUES.txt` — Rob's Jan 13, 2026 findings (3.4KB)
- `/root/IX_SECURITY_PERFORMANCE_REPORT_2026-01-13.txt` — full server report (37KB)
- DNS records Rob modified in March 2 and April 21 WHM sessions — what zones/records changed
- Reason for April 21 server reboot (graceful_reboot_landing) — authorized?